Cyber Resilience Act
CRA Compliance.
How to Sell Your
Software After 11.12.27
The Cyber Resilience Act is the most significant European cybersecurity legislation for Softwaresecurity — ever. Starting December 11, 2027, every manufacturer placing software on the EU market must prove compliance. Non-compliance means your product
cannot be sold in the EU.
Scope
Who Needs to Care?
The CRA applies to manufacturers of products with digital elements with connections to the internet — This also means, that any company that develops and places software on the European market, which isn't already regulated under existing legislation, must comply with the CRA. So e. g. Firmware, desktop applications, SDKs, IoT devices have to be compliant or cannot be sold.
CEOs & CTOs
You need to understand the regulatory risk: products without CRA compliance cannot be sold after the deadline. Penalties can reach up to €15 million or 2.5% of global annual turnover.
Developers & DevSecOps Engineers
You need to understand the technical implications: the CRA requires a secure software development lifecycle (SSDLC), continuous vulnerability handling, and machine-readable SBOMs — all auditable and documented.
Annex I
What Does the CRA Require?
The Cyber Resilience Act defines essential cybersecurity requirements.
Here are the key obligations that directly impact your software development process.
Secure by Design & Default
Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on the associated risks. This includes minimizing attack surfaces, implementing least-privilege principles, and shipping with secure default configurations.
In practice: You need a documented secure development lifecycle — not as a PDF in a drawer, but as a living process reflected in your actual CI/CD pipeline and development workflow.
Vulnerability Handling Process
Manufacturers must identify and document vulnerabilities, including those in third-party components. They must remediate vulnerabilities without delay, apply regular security testing, and provide a coordinated vulnerability disclosure (CVD) policy.
In practice: You need continuous vulnerability scanning across source code, dependencies, containers, and infrastructure — plus a triage and remediation workflow with a full auditable trail.
Software Bill of Materials (SBOM)
The CRA requires manufacturers to identify and document components and dependencies contained in their products, including by generating an SBOM in a commonly used, machine-readable format such as CycloneDX or SPDX.
In practice: SBOMs must be generated for every release, be accurate, and cover both direct and transitive dependencies. You also need to map newly published CVEs against past SBOMs to determine if shipped products are affected.
Security Updates & Patch Management
Manufacturers must ensure that vulnerabilities can be addressed through security updates. Updates should be provided free of charge, and users must be informed about the security implications.
In practice: You need a process that links discovered vulnerabilities to actionable patches, tracks remediation status, and ensures that updates reach your users in a timely manner.
Conformity Assessment & Technical Documentation
Depending on the product category, CRA compliance can require self-assessment, third-party assessment, or EU-type examination. In all cases, the manufacturer must maintain technical documentation demonstrating compliance.
In practice: You need evidence. Every scan, every triage decision, every policy you enforce — it must be documented and retrievable. "We do this, trust us" is not an answer for an auditor.
DevGuard & CRA
How DevGuard Enables CRA Compliance
DevGuard is an open-source-platform for modern application security. designed to make continuous security — and the evidence of that security — a natural byproduct of your development process, not an afterthought.
Automated Vulnerability Scanning Across the Full Stack
SCA, SAST, container scanning, IaC scanning, secret detection, and DAST — all integrated into a single unified pipeline that runs in your existing CI/CD.
SBOM Generation & Lifecycle Management
CycloneDX SBOMs generated automatically as part of your CI/CD pipeline. Stored per release and continuously matched against newly disclosed CVEs — even retroactively.
Risk-Based Triage & Remediation Workflow
Evaluate, prioritize, and track the remediation of findings. Every triage decision is recorded with a timestamp, a rationale, and the responsible person.
Policy-as-Code & Automated Compliance Checks
Define security policies that are automatically enforced across all your projects. Non-compliant code never reaches production — enforced by code, not willpower.
Signed Attestations & Verifiable Evidence
In-toto attestations and Sigstore-based signing create cryptographically verifiable, tamper-proof audit trails that strengthen your conformity assessment documentation.
Native GitHub & GitLab Integration
Integrates directly into your existing repos and CI/CD pipelines. No separate portal to check — CRA compliance becomes a natural byproduct of your workflow.
Key Dates
The Clock is Ticking.
Organizations that wait until late 2027 to begin implementing a secure development lifecycle, vulnerability handling process, and SBOM management will find themselves in a race they cannot win. CRA compliance requires process maturity, tooling integration, and team adoption — none of which happen overnight.
CRA Entered into Force
2024-11-20
Published in the Official Journal of the EU
Reporting Obligations Begin
2026-09-11
Vulnerability reporting for actively exploited issues becomes mandatory
Full Application
2027-12-11
All CRA requirements become mandatory for every product
By Example
We Use DevGuard to Achieve CRA Compliance Ourselves
We believe in eating our own cooking. DevGuard itself is developed using DevGuard. Every requirement that the CRA places on manufacturers of products with digital elements — we meet it in our own development process.
Continuous Vulnerability Scanning
Every commit to the DevGuard codebase triggers automated SCA, SAST, container scanning, and secret detection.
Automated SBOM Generation
Every release of DevGuard includes a CycloneDX SBOM generated automatically in our CI/CD pipeline.
Risk-Based Triage Workflow
When vulnerabilities are found, they enter our triage workflow. Each finding is assessed, prioritized, assigned, and tracked to resolution.
Policy Enforcement
We define security policies that gate our releases. These policies are enforced automatically — not by willpower, but by code.
Signed Attestations
Our build and security artifacts are signed using in-toto and Sigstore, providing cryptographic proof of our security process integrity.
Start securing your applications in minutes, not months.
DevGuard allows you to start securing your applications in minutes. No complex setup, no code changes, just instant visibility and protection.